CN101523800B - Method and apparatus for mutual authentication - Google Patents
Method and apparatus for mutual authentication Download PDFInfo
- Publication number
- CN101523800B CN101523800B CN2007800377025A CN200780037702A CN101523800B CN 101523800 B CN101523800 B CN 101523800B CN 2007800377025 A CN2007800377025 A CN 2007800377025A CN 200780037702 A CN200780037702 A CN 200780037702A CN 101523800 B CN101523800 B CN 101523800B
- Authority
- CN
- China
- Prior art keywords
- random number
- hash
- instance
- encrypted
- digital rights
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/60—Digital content management, e.g. content distribution
- H04L2209/603—Digital right managament [DRM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Abstract
Disclosed is a method for mutual authentication between a station, having a digital rights agent, and a secure removable media device. The digital rights agent initiates mutual authentication by sending a message to the secure removable media device. The secure removable media device encrypts a first random number using a public key associated with the digital rights agent. The digital rights agent decrypts the encrypted first random number, and encrypts a second random number and a first hash based on at least the first random number. The secure removable media device decrypts the encrypted second random number and the first hash, verifies the first hash to authenticate the digital rights agent, and generates a second hash based on at least the second random number. The digital rights agent verifies the second hash to authenticate the secure removable media device.
Description
Require priority based on 35U.S.C.S.119
Present patent application requires on October 10th, 2006 that submit, name to be called the provisional application No.60/850 of " METHODS ANDAPPARATUS FOR MUTUAL AUTHENTICATION ", 882 priority.This provisional application has transferred the application's assignee, therefore incorporate clearly it into this paper with way of reference.
Technical field
Put it briefly, the present invention relates to radio communication, specifically, the present invention relates to two-way authentication.
Background technology
The mobile subscriber may want to access the content by protecting with the system that another entity or agency authenticate.General authentication protocol is the Internet Key Exchange (IKE) agreement of describing among the RFC 4306.Yet the entity in the IKE agreement hypothesis verification process has enough calculating or disposal ability, to such an extent as to do not need to worry the speed that authenticates.
Therefore, in the demand of this area existence to following technology, namely carry out the technology of efficient mutual authentication with the equipment with limited disposal ability.
Summary of the invention
An aspect of of the present present invention relates to a kind of method of carrying out two-way authentication between first instance and second instance.In the method, first instance is initiated two-way authentication by sending message to second instance.Second instance pair the first PKI that is associated with first instance is verified, generates the first random number, uses the first PKI that the first random number is encrypted and send encrypted the first random number to first instance in message.First instance pair the second PKI that is associated with second instance is verified, use is decrypted encrypted the first random number corresponding to the first private key of the first PKI, generate the second random number, generate the first hash according at least the first random number, use the second PKI that the second random number and the first hash are encrypted, and in message, send encrypted the second random number and the first hash to second instance.Second instance uses the second private key corresponding to the second PKI that encrypted the second random number and the first hash are decrypted, verify the first hash so that the authentication first instance, generate the second hash according at least the second random number, and the second hash is sent to first instance.First instance verifies the second hash so that the authentication second instance.
In more detailed aspect of the present invention, first instance and second instance all use the first random number and the second random number to derive session encryption key and message authentication code (MAC) key according to the key derivative function, in order to use in the communication between first instance and second instance.
In addition, the message of initiation two-way authentication can comprise the hash of at least one trusted root key and the certificate chain of the first instance of correspondence.The certificate chain of first instance can comprise the PKI that is associated with first instance.Equally, the message with encrypted first random number from the second instance to the first instance can also comprise the certificate chain of second instance.The certificate chain of second instance can comprise the PKI that is associated with second instance.
The present invention other more detailed aspect in, first instance can be the digital rights agent of mobile radio station, and second instance can be the safety movable media device.Second instance can have limited disposal ability.And the first hash can be further based on the second random number, thereby the first hash is to generate according to the first random number with the second random number cascade.The second hash can be further based on the first random number, perhaps further based on the first hash, thereby the second hash can based on the second random number of the first hash phase cascade.
Another aspect of the present invention can relate to the device for two-way authentication, this device comprises for the module of initiating two-way authentication, be used for checking the first PKI, the module that generates the first random number and use the first PKI that the first random number is encrypted, be used for checking the second PKI, use is decrypted encrypted the first random number corresponding to the first private key of the first PKI, generate the second random number, the module that generates the first hash and use the second PKI that the second random number and the first hash are encrypted according at least the first random number, be used for using the second private key corresponding to the second PKI that encrypted the second random number and the first hash are decrypted, verify the module that the first hash is used for authentication and generates the second hash according at least the second random number, and be used for checking the second hash to be used for the module of authentication.
Another aspect of the present invention can relate to the mobile radio station that carries out two-way authentication with the safety movable media device, and this mobile radio station comprises digital rights agent.Digital rights agent is initiated two-way authentication by sending message to the safety movable media device, wherein the safety movable media device is verified the first PKI that is associated with digital rights agent, generate the first random number, use the first PKI that the first random number is encrypted, and in message, send encrypted the first random number to digital rights agent.The second PKI that the digital rights agent checking is associated with the safety movable media device, use is decrypted encrypted the first random number corresponding to the first private key of the first PKI, generate the second random number, generate the first hash according at least the first random number, use the second PKI that the second random number and the first hash are encrypted, and in message, send encrypted the second random number and the first hash to the safety movable media device, wherein, the safety movable media device uses the second private key of corresponding the second PKI that encrypted the second random number and the first hash are decrypted, verify the first hash so that the authentication digital rights agent, generate the second hash according at least the second random number, and send the second hash to digital rights agent.Digital rights agent is verified the second hash, so that the authentication security removable media device.
Another aspect of the present invention relates to a kind of computer program that comprises computer-readable medium, this computer-readable medium comprises: be used for that computer is impelled and have the station of digital rights agent by sending the code that message is initiated two-way authentication to the safety movable media device, wherein the safety movable media device is verified the first PKI that is associated with digital rights agent, generate the first random number, use the first PKI that the first random number is encrypted, and in message, send encrypted the first random number to digital rights agent; Be used for making computer to impel digital rights agent to verify the second PKI that is associated with the safety movable media device, use is decrypted encrypted the first random number corresponding to the first private key of the first PKI, generate the second random number, generate the first hash according at least the first random number, use the second PKI to the second random number and the first hash is encrypted and send the code of encrypted the second random number and the first hash in message to the safety movable media device, wherein the safety movable media device uses the second private key corresponding to the second PKI that encrypted the second random number and the first hash are decrypted, verify the first hash so that the authentication digital rights agent, generate the second hash according at least the second random number, and send the second hash to digital rights agent; And make computer impel digital rights agent to verify the second hash so that the code of authentication security removable media device.
Another aspect of the present invention can relate to a kind of computer program that comprises computer-readable medium, this computer-readable medium comprises: be used for making computer to impel the safety movable media device to verify the first PKI that is associated with digital rights agent, generate the first random number, use the first PKI the first random number to be encrypted and to send to digital rights agent the code of encrypted the first random number in message, wherein, the second PKI that the digital rights agent checking is associated with the safety movable media device, use is decrypted encrypted the first random number corresponding to the first private key of the first PKI, generate the second random number, generate the first hash according at least the first random number, use the second PKI that the second random number and the first hash are encrypted, and in message, send encrypted the second random number and the first hash to the safety movable media device; Make computer impel the safety movable media device to use corresponding to the second private key of the second PKI to encrypted the second random number with the first hash is decrypted, verifies the first hash in order to the authentication digital rights agent, generate the second hash and send the code of the second hash to digital rights agent according at least the second random number, wherein digital rights agent is verified the second hash so that the authentication security removable media device.
Description of drawings
Fig. 1 is the example of wireless communication system;
Fig. 2 carries out the mobile radio station of two-way authentication and the block diagram of safety movable media device;
Fig. 3 is for carrying out the flow chart of the method for two-way authentication between mobile radio station and safety movable media device.
Embodiment
" exemplary " word of mentioning among the application refers to " give one example, example or as an illustration ".Any embodiment that is described as " exemplary " among the application should not be understood to than other embodiment more preferably or have more advantage.
Distant station (be also referred to as mobile radio station (MS), (AT), subscriber equipment or subscriber unit access terminal) can be mobile or fixing, and can communicate with one or more base stations (being also referred to as base station transceiver (BTS) or Node B).Distant station divides into groups to base station controller (being also referred to as radio network controller (RNC)) transmission and from the base station controller receive data by one or more base stations.Base station and base station controller are parts that is called as the network of Access Network.Access Network is transmission of data packets between a plurality of distant stations.Access Network can further be connected to other network (such as corporate intranet or internet) of Access Network outside, and between each distant station and these external networks transmission of data packets.Set up the distant station that the Traffic Channel that activates is connected with one or more base stations and be called the distant station of activation, and be called and be in service condition.Be in and set up distant station in the process that the activating service channel is connected with one or more base stations and be called to be in and connect the state of setting up.Distant station can be the arbitrary data equipment that communicates by wireless channel.Distant station can also be any one equipment in polytype equipment, including, but not limited to PC card, compact flash, outside or internal modems or cordless telephone.Distant station is called up link to the communication link of base station transmitted signal, is also referred to as reverse link.The base station is called down link to the communication link of distant station transmitted signal, is also referred to as forward link.
With reference to Fig. 2, wireless communication system 100 comprises one or more wireless mobiles (MS) 102, one or more base station (BS) 104, one or more base station controller (BSC) 106 and core network 108.Core network is connected to internet 110 and public switch telephone network (PSTN) 112 by suitable backhaul (backhauls).Typical wireless mobile comprises cell-phone or laptop computer.Wireless communication system 100 can use any one in the multiple access technology, divides multiple access (PDMA) or other modulation technique well known in the art such as code division multiple access (CDMA), time division multiple access (TDMA), frequency division multiple access (FDMA), space division multiple access (SDMA), the utmost point.
Multiple low-cost equipment (with multiple different form feature) with finite computational abilities appears in the market, such as smart card and flash memory.This equipment may need authentication.For example, wish that these equipment maintain the right of using with digital copyright management (DRM) system.With these devices exchange rights before, should have the two-way authentication with both sides' entity of exchange correlation, in order to exchange is limited in the certified entity.These embodiment provide a kind of high efficiency method of finishing two-way authentication, and the cipher key change through confirming also is provided, and this key is further used for the communication between the related entities.On the present computing capability of active isomer and the computational speed.
Those skilled in the art can find out, can ask any time of two-way authentication to use mutual authentication schemes between two entities.Mutual authentication schemes is not limited to ad hoc approach (such as digital copyright management), system and the equipment that is used for describing embodiment herein.
One embodiment of the present of invention are utilized through the cipher key change of confirming by the exchange with 4 message and are carried out two-way authentication.This needs 2 public key signature checkings (confirming+1 in the middle of each), 2 public key encryptions, 2 PKI deciphering, 2 hash to generate and 2 Hash verification.The message of specific quantity, public key verifications, PKI deciphering, hash generation and Hash verification can decompose or change, in order to reach fail safe and the efficient of requirement.
By common key code operation is minimized and uses hash function provide to the key material of exchange have a proof, improve the efficient of agreement.
Above-described efficient mutual authentication and the IKE through confirming use with compute-bound equipment.Described efficiently be by the number of times to public key calculation minimize and with keyed hash provide have the proof realize.
Method 300 (Fig. 3) with reference to the two-way authentication shown in Fig. 2 and 3 illustrates this agreement.Step hereinafter is corresponding to the arrow of numbering among Fig. 3.
In method 300, entity A (for example, the DRM of MS 102 agency 202) sends HelloA message (step 302) to entity B (safety movable media (SRM) equipment 204 that for example, has SRM agency 206).The SRM proxy management is to the access of the safe storage 208 in the SRM equipment.(operating system 210 of MS can directly be accessed the normal memory 212 of SRM equipment.) HelloA comprises the hash (or root key self) of trusted root key and corresponding certificate chain.Receive after this message, entity B finds root key that it trusts and finds certificate chain according to the root key of selecting from this message.Entity B is according to the certificate chain of the root key verifying entity A that selects.
Entity B generates random number R anB (step 304).
Entity B sends HelloB message (step 306) to entity A.HelloB comprises according to the certificate chain of the B of the root key of selecting and by the random number B of the public key encryption of entity A, obtains the certificate chain of being selected after step 302 by the PKI of entity A.Receive after this message the certificate chain of entity A verifying entity B.If correct, then use its private key (corresponding to the root key of selecting) that random number B is decrypted.
Notice, in case carried out root key selection and certificate chain exchange, entity A and entity B just have certificate chain each other.Thereby, just need in follow-up HelloA and HelloB message, between entity A and entity B, not send these parameters come for after two-way authentication.In this case, the exchange of the certificate chain in the step 302 and 306 is selectable.
Entity A generates random number R anA (step 308).
Entity A sends key confirmation A (KeyConfirmA) message (step 310) to entity B.Key confirmation A comprises random number A, the hash of random number A and the cascade of random number B and random number A (H[random number A| random number B]) phase cascade, and above-mentioned full content is encrypted by the PKI of B.Receive after this message, entity B is decrypted it.Use is through the random number A of deciphering, the hash of entity B checking random number B and random number A phase cascade.Attention: in this step, entity B has authenticated entity A, and definite entity A is known random number B.
Entity B sends key confirmation B (KeyConfirmB) message (step 312) to entity A.Key confirmation B comprises that key confirmation A message is through the hash of the part of deciphering.Receive after this message, entity A is verified this hash.Attention: in this step, entity A has authenticated entity B, and definite entity B is known random number A.
At this moment, two mutually authentications of entity, and confirm that they all share identical random number A and random number B.Now, can use random number A and random number B to derive session encryption key (SK) and MAC key (MK) according to key derivative function (KDF), to be used for the follow-up communication (step 314) of inter-entity.
Hereinafter will provide the detailed description of each message.Send HelloA message to use cipher key confirmation protocol to initiate two-way authentication.Hello A has " version " parameter and " root and chain [] (rootAndChains[]) " parameter.Release parameter can be 8 bit values that comprise the protocol version of this message.It is mapped as 5 MSB is used for key plate originally, 3 LSB are used for time version.Root and chain [] parameter can be the root hash of entity A of all trust models of supporting of A and the array of certificate chain.The structure of parameter---root hash and certificate chain (RootHashAndCerChain) is parameter root hash and parameter certificate chain, and parameter root hash is the SHA-1 hash of the root public key of trust model, and the parameter certificate chain is the certificate chain of the entity of root public key.At first be the certificate of entity, the back is any CA certificate (with the order of signaling), until but do not comprise the root certificate.
HelloB message utilizes cipher key confirmation protocol to proceed two-way authentication by entity B.Parameters is described below.The parameter of HelloB has: " version ", " state ", " certificate chain " and " encrypted random number B ".Release parameter can be 8 bit values that comprise the protocol version of this message.It is mapped as 5 MSB is used for key plate originally, 3 LSB are used for time version.State parameter can be 8 bit values that comprise the state of the entity B of processing HelloA message.The value of state parameter can be: 0 be used for successfully-in the past message do not run into mistake, and 1 be used for not finding the root key that shares with entity A without sharing root key-entity B.Value 2-255 keeps as other purposes.The certificate chain parameter is the certificate chain according to the entity B of the root key of selecting from HelloA message.If the value of state parameter is not successfully, then the certificate chain parameter does not embody.Encrypted random number B parameter is the random number B that the RSA-OAEP of the PKI (from selected certificate chain) of use entity A encrypts.Random number B can be the random number by 20 bytes of entity B generation.If the value of state is not successfully, then encrypted random number B parameter does not embody.
Key confirmation A message utilizes cipher key confirmation protocol to proceed two-way authentication by entity A.Key confirmation A message has " version " parameter and " encrypted random number B " parameter.Release parameter can be 8 bit values that comprise the protocol version of this message.It is mapped as 5 MSB is used for key plate originally, 3 LSB are used for time version.Encrypted random number B parameter can be the key confirmation data structure that RSA-OAEP encrypts, and comprises " random number A " parameter and " hash BA " parameter.Random number A parameter can be the random number of 20 bytes being generated by entity A, and hash BA parameter is random number B and the SHA-1 hash of random number A phase cascade.
Key confirmation B message utilizes cipher key confirmation protocol to finish two-way authentication by entity B.Key confirmation B message has " version " parameter, state parameter and " hash key affirmation " parameter.Release parameter can be 8 bit values that comprise the protocol version of this message.It is mapped as 5 MSB is used for key plate originally, 3 LSB are used for time version.State parameter can be 8 bit values that comprise the state of the entity B of processing this message.Hash key confirms that parameter can be the SHA-1 hash by the key confirmation data structure of entity B deciphering.If the value of state parameter is not successfully, then this parameter does not embody.
Another aspect of the present invention can relate to the mobile radio station 102 that comprises control processor 216 and OS 210, and control processor 216 and OS 210 are used for making DRM act on behalf of 202 implementation methods 300.Another aspect of the present invention can relate to a kind of computer program that comprises computer-readable medium (such as memory device 218), and this computer-readable medium comprises be used to making computer impel the code of the step of DRM proxy executing method 300.
The information that it will be appreciated by those skilled in the art that can represent with multiple different technology and method with signal.For example, mentioned data, instruction, order, information, signal, bit, symbol and chip can represent with voltage, electric current, electromagnetic wave, magnetic field or magnetic particle, light field or light particle or its combination in any in the description on run through.
Those skilled in the art be to be further appreciated that, various exemplary logical block, module, circuit and the algorithm steps described in conjunction with the application's embodiment all can be embodied as electronic hardware, computer software or its combination.In order clearly to represent this interchangeability between the hardware and software, the above has all carried out describe, in general terms around its function to various exemplary parts, piece, module, circuit and step.Be embodied as hardware or be embodied as software as for this function, depend on specific application and the design constraint that whole system is applied.Those skilled in the art can be for each application-specific, realizes described function in the mode of accommodation, and still, this realization decision-making should not be construed as and deviates from protection scope of the present invention.
Be used for carrying out general processor, digital signal processor (DSP), application-specific integrated circuit (ASIC) (ASIC), field programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components or its combination in any of the described function of the application, can realize or carry out in conjunction with the described various exemplary logical blocks of the application's embodiment, module and circuit.General processor can be microprocessor, and perhaps replacedly, this processor also can be processor, controller, microcontroller or the state machine of any routine.Processor also can be implemented as the combination of computing equipment, for example, and the combination of the combination of DSP and microprocessor, multi-microprocessor, one or more microprocessor and DSP kernel, perhaps any other this kind formation.
Software module or its combination that can directly be presented as hardware, be carried out by processor in conjunction with the step of the described method of the application's embodiment or algorithm.Software module can be arranged in the storage medium of RAM memory, flash memory, ROM memory, eprom memory, eeprom memory, register, hard disk, mobile disk, CD-ROM or any other form well known in the art.A kind of exemplary storage medium is connected to processor, thereby makes the processor can be from this read information, and can be to this storage medium writing information.Replacedly, storage medium also can be integrated in the processor.Processor and storage medium can be arranged in ASIC.This ASIC can be arranged in user terminal.Certainly, processor and storage medium also can be used as discrete assembly and are present in the user terminal.
In one or more example embodiment, described function can be implemented as hardware, software, firmware or their any combination.When realizing with software as computer program, this function can be used as on one or more instructions or the code storage computer-readable medium or by it to be transmitted.Computer-readable medium comprises computer-readable storage medium and communication media, comprises any medium of being convenient to computer program is transferred to from a place another place.Storage medium can be any usable medium that computer can be accessed.For example but without limitation, such computer-readable medium can comprise RAM, ROM, EEPROM, CD-ROM or other disk storage, magnetic disc store or other magnetic storage apparatus, perhaps can be used in the form of instruction or data structure and carries or store required program code and can be by any other medium of computer access.And any connection can suitably be called computer-readable medium.Give an example, if with coaxial cable, fibre-optic cable, twisted-pair feeder, digital subscriber line (DSL), or the wireless technology such as infrared, wireless and microwave, from the website, server or other remote source transmitting software, then this coaxial cable, fibre-optic cable, twisted-pair feeder, DSL, or the wireless technology such as infrared, wireless and microwave is also contained in the definition of medium.The disk that the application is used and dish comprise compact disk (CD), radium-shine CD, CD, digital multi-purpose CD (DVD), floppy disk and Blu-ray disc, and wherein disk passes through the magnetic reproducting data usually, and CD is by laser optics ground rendering data.Above-mentioned combination is also included within the scope of computer-readable medium.
For making those skilled in the art can realize or use the present invention, the above that description to the embodiment of the invention is provided.To those skilled in the art, all be apparent to the various modifications of these embodiment, and the General Principle of the application's definition also can be applicable to other embodiment without departing from the spirit and scope of the present invention.Therefore, the present invention is not limited to the embodiment that the application provides, but consistent with the widest scope of the disclosed principle of the application and novel features.
Claims (21)
1. one kind is used for the method carry out two-way authentication between first instance and second instance, comprising:
Described first instance is initiated two-way authentication by sending message to described second instance, and wherein, the described message of initiating two-way authentication comprises the certificate chain of hash with at least one trusted root key and corresponding described first instance;
Described second instance pair the first PKI that is associated with described first instance is verified, generate the first random number, use described the first PKI that described the first random number is encrypted and in message, send encrypted the first random number to described first instance, wherein, the described message that comprises described encrypted the first random number that sends to described first instance from described second instance also comprises the certificate chain of described second instance;
Described first instance pair the second PKI that is associated with described second instance is verified, use is decrypted described encrypted the first random number corresponding to the first private key of described the first PKI, generate the second random number, generate the first hash according to described at least the first random number, use described the second PKI that described the second random number and described the first hash are encrypted, and in message, send encrypted the second random number and the first hash to described second instance;
Described second instance uses the second private key corresponding to described the second PKI that described encrypted the second random number and the first hash are decrypted, verify described the first hash in order to authenticate described first instance and determine that described first instance knows described the first random number, generate the second hash according to described at least the second random number, and described the second hash is sent to described first instance; And
Described first instance is verified described the second hash in order to authenticate described second instance and determine that described second instance knows described the second random number.
2. the method for two-way authentication according to claim 1, wherein, described first instance and described second instance all use described the first random number and described the second random number to derive session encryption key and message authentication code (MAC) key according to the key derivative function, in order to use in the communication between described first instance and described second instance.
3. the method for two-way authentication according to claim 1, wherein, described first instance is digital rights agent, and described second instance is the safety movable media device.
4. the method for two-way authentication according to claim 1, wherein, described first instance is mobile radio station.
5. the method for two-way authentication according to claim 1, wherein, described second instance has limited disposal ability.
6. the method for two-way authentication according to claim 1, wherein, described the first hash is further based on described at least the second random number, thus described the first hash generates according to described at least the first random number with described the second random number phase cascade.
7. the method for two-way authentication according to claim 1, wherein, described the second hash is further based on described at least the first random number.
8. the method for two-way authentication according to claim 1, wherein, described the second hash is further based on described at least the first hash, thus described the second hash generates according to described at least the second random number with described the first hash phase cascade.
9. device that is used for two-way authentication comprises:
Be used for initiating by sending message the module of two-way authentication, wherein, the described message of initiating two-way authentication comprises hash and the corresponding First Certificate chain with at least one trusted root key;
Be used for verifying that the first PKI, generation the first random number, described the first PKI of use that are associated with first instance are encrypted and send in message the module of encrypted the first random number to described the first random number, wherein, the described message that comprises described encrypted the first random number also comprises the second certificate chain;
Be used for the second PKI that checking is associated with second instance, use corresponding to the first private key of described the first PKI encrypted the first random number is decrypted, generates the second random number, generates the first hash, uses described the second PKI to described the second random number and described the first hash is encrypted and in the module of message encrypted the second random number of transmission and the first hash according to described at least the first random number;
Be used for to use corresponding to the second private key of described the second PKI encrypted the second random number and the first hash are decrypted, verify that described the first hash is to authenticate described first instance and to determine that described first instance knows described the first random number, generates the second hash and send the module of described the second hash in message according to described at least the second random number; And
Know the module of described the second random number to authenticate described second instance and definite described second instance for verifying described the second hash.
10. the device for two-way authentication according to claim 9 also comprises:
Be used for using described the first random number and described the second random number derivation session encryption key and message authentication code (MAC) key so that the module that the communication between described first instance and described second instance is used according to the key derivative function.
11. the device for two-way authentication according to claim 9, wherein, described the first hash is further based on described at least the second random number, thereby described the first hash generates according to described at least the first random number with described the second random number phase cascade.
12. the device for two-way authentication according to claim 9, wherein, described the second hash is further based on described at least the first random number.
13. the device for two-way authentication according to claim 9, wherein, described the second hash is further based on described the first hash, thereby described the second hash generates according to described the second random number with described the first hash phase cascade.
14. a station of carrying out two-way authentication with the safety movable media device comprises:
Digital rights agent, wherein,
Described digital rights agent is initiated two-way authentication by sending message to described safety movable media device, wherein, the described message of initiating two-way authentication comprises the certificate chain of hash with at least one trusted root key and corresponding described digital rights agent, and wherein, the first PKI that described safety movable media device checking is associated with described digital rights agent, generate the first random number, use described the first PKI that described the first random number is encrypted, and in message, send encrypted the first random number to described digital rights agent, wherein, the described message with described encrypted first random number that sends to described digital rights agent from described safety movable media device also comprises the certificate chain of described safety movable media device;
The second PKI that described digital rights agent checking is associated with described safety movable media device, use is decrypted described encrypted the first random number corresponding to the first private key of described the first PKI, generate the second random number, generate the first hash according to described at least the first random number, use described the second PKI that described the second random number and described the first hash are encrypted, and in message, send encrypted the second random number and the first hash to described safety movable media device, wherein, described safety movable media device uses the second private key of corresponding described the second PKI that described encrypted the second random number and the first hash are decrypted, verify described the first hash in order to authenticate described digital rights agent and determine that described digital rights agent knows described the first random number, generate the second hash according to described at least the second random number, and send described the second hash to described digital rights agent; And
Described digital rights agent is verified described the second hash, in order to authenticate described safety movable media device and determine that described safety movable media device knows described the second random number.
15. station of carrying out two-way authentication according to claim 14, wherein, described digital rights agent and described safety movable media device all use described the first random number and described the second random number to derive session encryption key and message authentication code (MAC) key according to the key derivative function, in order to use in the communication between described digital rights agent and described safety movable media device.
16. station of carrying out two-way authentication according to claim 14, wherein, the described certificate chain of described digital rights agent comprises the PKI that is associated with described digital rights agent.
17. station of carrying out two-way authentication according to claim 14, wherein, the described certificate chain of described safety movable media device comprises the described PKI that is associated with described safety movable media device.
18. station of carrying out two-way authentication according to claim 14, wherein, described station is mobile radio station.
19. station of carrying out two-way authentication according to claim 14, wherein, described the first hash is further based on described at least the second random number, thereby described digital rights agent generates described the first hash according to described at least the first random number with described the second random number phase cascade.
20. one kind is used for the device carry out two-way authentication, comprises:
Be used for impelling the digital rights agent at station by sending the module that message is initiated two-way authentication to the safety movable media device, wherein, the described message of initiating two-way authentication comprises the certificate chain of hash with at least one trusted root key and corresponding described digital rights agent, and wherein, the first PKI that described safety movable media device checking is associated with described digital rights agent, generate the first random number, use described the first PKI that described the first random number is encrypted and in message, send encrypted the first random number to described digital rights agent, wherein, the described message with described encrypted first random number that sends to described digital rights agent from described safety movable media device also comprises the certificate chain of described safety movable media device;
Be used for impelling described digital rights agent to verify the second PKI that is associated with described safety movable media device, use is decrypted described encrypted the first random number corresponding to the first private key of described the first PKI, generate the second random number, generate the first hash according to described at least the first random number, use described the second PKI described the second random number and described the first hash to be encrypted and to send to described safety movable media device the module of encrypted the second random number and the first hash in message, wherein, described safety movable media device uses the second private key corresponding to described the second PKI that described encrypted the second random number and the first hash are decrypted, verify described the first hash in order to authenticate described digital rights agent and determine that described digital rights agent knows described the first random number, generate the second hash and send described the second hash to described digital rights agent according to described at least the second random number; And
Be used for impelling described digital rights agent to verify described the second hash in order to authenticate described safety movable media device and determine that described safety movable media device knows the module of described the second random number.
21. one kind is used for the device carry out two-way authentication, comprises:
Be used for impelling safety movable media device checking first PKI relevant with digital rights agent, generate the first random number, use described the first PKI described the first random number to be encrypted and to send to described digital rights agent the module of encrypted the first random number in message, wherein, the described message with described encrypted first random number from from described safety movable media device to described digital rights agent transmission also comprises the certificate chain of described safety movable media device, wherein, described digital rights agent is initiated two-way authentication by sending message to described safety movable media device, wherein, the described message of initiating two-way authentication comprises the certificate chain of hash with at least one trusted root key and corresponding described digital rights agent, and wherein, the second PKI that described digital rights agent checking is associated with described safety movable media device, use is decrypted described encrypted the first random number corresponding to the first private key of described the first PKI, generate the second random number, generate the first hash according to described at least the first random number, use described the second PKI that described the second random number and described the first hash are encrypted, and in message, send encrypted the second random number and the first hash to described safety movable media device;
Be used for impelling described safety movable media device to use the second private key corresponding to described the second PKI that described encrypted the second random number and the first hash are decrypted, verify described the first hash in order to authenticate described digital rights agent and determine that described digital rights agent knows described the first random number, generate the second hash and send the module of described the second hash to described digital rights agent according to described at least the second random number, wherein, described digital rights agent is verified described the second hash in order to authenticate described safety movable media device and determine that described safety movable media device knows described the second random number.
Applications Claiming Priority (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US85088206P | 2006-10-10 | 2006-10-10 | |
| US60/850,882 | 2006-10-10 | ||
| US11/866,946 US8892887B2 (en) | 2006-10-10 | 2007-10-03 | Method and apparatus for mutual authentication |
| US11/866,946 | 2007-10-03 | ||
| PCT/US2007/080525 WO2008045773A2 (en) | 2006-10-10 | 2007-10-05 | Method and apparatus for mutual authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101523800A CN101523800A (en) | 2009-09-02 |
| CN101523800B true CN101523800B (en) | 2013-05-01 |
Family
ID=39217993
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007800377025A Active CN101523800B (en) | 2006-10-10 | 2007-10-05 | Method and apparatus for mutual authentication |
Country Status (18)
| Country | Link |
|---|---|
| US (2) | US8892887B2 (en) |
| EP (1) | EP2082525B1 (en) |
| JP (2) | JP2010506542A (en) |
| KR (1) | KR101284779B1 (en) |
| CN (1) | CN101523800B (en) |
| AU (1) | AU2007307906B2 (en) |
| BR (1) | BRPI0718048B1 (en) |
| CA (1) | CA2663644C (en) |
| ES (1) | ES2662071T3 (en) |
| HK (1) | HK1136115A1 (en) |
| HU (1) | HUE036864T2 (en) |
| IL (1) | IL197590A (en) |
| MX (1) | MX2009003684A (en) |
| MY (1) | MY162283A (en) |
| NO (1) | NO342744B1 (en) |
| RU (1) | RU2420896C2 (en) |
| TW (1) | TWI368427B (en) |
| WO (1) | WO2008045773A2 (en) |
Families Citing this family (73)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7836306B2 (en) * | 2005-06-29 | 2010-11-16 | Microsoft Corporation | Establishing secure mutual trust using an insecure password |
| US8892887B2 (en) * | 2006-10-10 | 2014-11-18 | Qualcomm Incorporated | Method and apparatus for mutual authentication |
| KR101366243B1 (en) * | 2006-12-04 | 2014-02-20 | 삼성전자주식회사 | Method for transmitting data through authenticating and apparatus therefor |
| JP2008269088A (en) * | 2007-04-17 | 2008-11-06 | Toshiba Corp | Program information providing system, program information providing method, and storage medium used for it |
| KR101391151B1 (en) * | 2007-06-01 | 2014-05-02 | 삼성전자주식회사 | Method and apparatus for authenticating between clients using session key shared with server |
| US8219804B2 (en) * | 2007-09-13 | 2012-07-10 | Ricoh Company, Ltd. | Approach for managing device usage data |
| US20100031026A1 (en) * | 2007-11-01 | 2010-02-04 | Infineon Technologies North America Corp. | Method and system for transferring information to a device |
| US8627079B2 (en) | 2007-11-01 | 2014-01-07 | Infineon Technologies Ag | Method and system for controlling a device |
| US8908870B2 (en) | 2007-11-01 | 2014-12-09 | Infineon Technologies Ag | Method and system for transferring information to a device |
| US8819838B2 (en) | 2008-01-25 | 2014-08-26 | Google Technology Holdings LLC | Piracy prevention in digital rights management systems |
| CN101577697B (en) * | 2008-05-07 | 2012-09-05 | 深圳市络道科技有限公司 | Authentication method and authentication system for enforced bidirectional dynamic password |
| EP2120393A1 (en) * | 2008-05-14 | 2009-11-18 | Nederlandse Centrale Organisatie Voor Toegepast Natuurwetenschappelijk Onderzoek TNO | Shared secret verification method |
| CN101640589B (en) * | 2008-07-29 | 2012-11-07 | 华为技术有限公司 | Method and device for sharing license between safe and removable media |
| CN101378320B (en) * | 2008-09-27 | 2011-09-28 | 北京数字太和科技有限责任公司 | Authentication method and system |
| CN101729251B (en) * | 2008-10-21 | 2012-09-05 | 华为技术有限公司 | Method and device of CGA signature verification |
| KR101141346B1 (en) * | 2009-12-28 | 2012-05-03 | 포항공과대학교 산학협력단 | Authentication method for IPTV system and settop box therefor |
| US8467532B2 (en) * | 2010-01-04 | 2013-06-18 | Tata Consultancy Services Limited | System and method for secure transaction of data between a wireless communication device and a server |
| DE102010044518A1 (en) * | 2010-09-07 | 2012-03-08 | Siemens Aktiengesellschaft | Method for certificate-based authentication |
| CN102082790B (en) * | 2010-12-27 | 2014-03-05 | 北京握奇数据系统有限公司 | Method and device for encryption/decryption of digital signature |
| FR2970612B1 (en) * | 2011-01-19 | 2013-01-04 | Natural Security | METHOD FOR AUTHENTICATING A FIRST COMMUNICATION EQUIPMENT WITH A SECOND COMMUNICATION EQUIPMENT |
| US20120303974A1 (en) * | 2011-05-25 | 2012-11-29 | Condel International Technologies Inc. | Secure Removable Media and Method for Managing the Same |
| CN102377572B (en) * | 2011-11-23 | 2014-01-29 | 广东南方信息安全产业基地有限公司 | Mutual authentication method based on linear shift |
| CN103138923B (en) * | 2011-11-24 | 2016-06-22 | 中国移动通信集团公司 | A kind of internodal authentication, Apparatus and system |
| CN102438044B (en) * | 2011-12-04 | 2014-02-19 | 河南科技大学 | Digital content trusted usage control method based on cloud computing |
| US8769627B1 (en) * | 2011-12-08 | 2014-07-01 | Symantec Corporation | Systems and methods for validating ownership of deduplicated data |
| CN102523094A (en) * | 2011-12-27 | 2012-06-27 | 苏州佰思迈信息咨询有限公司 | Password authentication system |
| CN102737185B (en) * | 2012-06-08 | 2015-07-01 | 杭州华澜微科技有限公司 | Digital copyright protection method |
| KR101330867B1 (en) | 2012-12-27 | 2013-11-18 | 신한카드 주식회사 | Authentication method for payment device |
| DE102013000088A1 (en) * | 2013-01-08 | 2014-07-10 | Claas Saulgau Gmbh | Method and device for authenticating at least two agricultural devices coupled via a data bus |
| CN103078742B (en) * | 2013-01-10 | 2015-04-08 | 天地融科技股份有限公司 | Generation method and system of digital certificate |
| US9143331B2 (en) * | 2013-02-07 | 2015-09-22 | Qualcomm Incorporated | Methods and devices for authentication and key exchange |
| WO2015026664A1 (en) * | 2013-08-20 | 2015-02-26 | Mastercard International Incorporated | Method and system for computing code management platform |
| US9288672B2 (en) * | 2013-09-23 | 2016-03-15 | Qualcomm Incorporated | Method for configuring a remote station with a certificate from a local root certificate authority for securing a wireless network |
| JP6187251B2 (en) * | 2013-12-27 | 2017-08-30 | 富士通株式会社 | Data communication method and data communication apparatus |
| CN104346556A (en) * | 2014-09-26 | 2015-02-11 | 中国航天科工集团第二研究院七〇六所 | Hard disk security protection system based on wireless security certification |
| CN106209739B (en) | 2015-05-05 | 2019-06-04 | 科大国盾量子技术股份有限公司 | Cloud storage method and system |
| JP2017004133A (en) * | 2015-06-08 | 2017-01-05 | 株式会社リコー | Service providing system, information processing system, information processing device, service providing method, and program |
| WO2017039775A2 (en) * | 2015-06-11 | 2017-03-09 | PeerNova, Inc. | Making cryptographic claims about stored data using an anchoring system |
| CN106332066A (en) * | 2015-06-15 | 2017-01-11 | 数据通信科学技术研究所 | Identity authentication method and system between mobile terminal |
| CN106685643B (en) * | 2015-11-07 | 2019-07-19 | 上海复旦微电子集团股份有限公司 | The method and device of public key verifications under CRT mode |
| JP2018534629A (en) | 2015-11-22 | 2018-11-22 | アンバウンド テック リミテッド | Method for performing keyed hash message authentication code (HMAC) using multi-party computation without Boolean gates |
| US10231123B2 (en) * | 2015-12-07 | 2019-03-12 | GM Global Technology Operations LLC | Bluetooth low energy (BLE) communication between a mobile device and a vehicle |
| CN105635114B (en) * | 2015-12-18 | 2019-02-26 | 恒宝股份有限公司 | A kind of password method of calibration and system |
| US11606219B2 (en) * | 2016-02-23 | 2023-03-14 | Nchain Licensing Ag | System and method for controlling asset-related actions via a block chain |
| CN106027482B (en) * | 2016-04-18 | 2019-11-15 | 李明 | A kind of identity card card reading response method and device |
| KR101838511B1 (en) * | 2016-05-17 | 2018-03-14 | 현대자동차주식회사 | Method of providing security for controller using encryption and appratus for implementing the same |
| US20180013566A1 (en) * | 2016-07-05 | 2018-01-11 | Dark Matter L.L.C. | Apparatus, computer program, and method for securely broadcasting messages |
| JP2018067854A (en) | 2016-10-21 | 2018-04-26 | 株式会社プラットフィールド | Information communication system |
| CN106656489B (en) * | 2016-12-07 | 2020-04-14 | 浙江工商大学 | Mobile payment-oriented safety improvement method for information interaction between self-service selling equipment and server |
| WO2018228732A1 (en) * | 2017-06-14 | 2018-12-20 | Gemalto Sa | Method for mutual symmetric authentication between a first application and a second application |
| CN109391594B (en) * | 2017-08-09 | 2021-07-30 | 中国电信股份有限公司 | Security authentication system and method |
| KR102029053B1 (en) * | 2017-08-28 | 2019-10-07 | 아주대학교산학협력단 | Virtual machine migration device and method thereof |
| KR101886367B1 (en) * | 2017-10-12 | 2018-08-09 | (주)티엔젠 | Generation of device individual session key in inter-object communication network and verification of encryption and decryption function between devices using it |
| CN107819576A (en) * | 2017-11-28 | 2018-03-20 | 苏州朗捷通智能科技有限公司 | Communication authentication method and system |
| US11743253B2 (en) * | 2018-05-08 | 2023-08-29 | Roche Diabetes Care, Inc. | Methods and systems for bidirectional device authentication |
| CN108494811B (en) * | 2018-06-27 | 2021-06-18 | 深圳市思迪信息技术股份有限公司 | Data transmission security authentication method and device |
| FR3092923B1 (en) * | 2019-02-19 | 2021-05-21 | Sangle Ferriere Bruno | Cryptographic method of data verification |
| CN109872155A (en) * | 2019-02-22 | 2019-06-11 | 矩阵元技术(深圳)有限公司 | Data processing method and device |
| JP6844788B2 (en) * | 2019-03-04 | 2021-03-17 | 株式会社プラットフィールド | Information communication system |
| US11405214B2 (en) * | 2019-04-04 | 2022-08-02 | Y R Free Labs Limited | Secure transmission |
| CN110717199B (en) * | 2019-08-21 | 2022-02-25 | 深圳市比比赞科技有限公司 | Photovoltaic panel encryption method and system in PAYGO mode |
| CN110659474B (en) * | 2019-10-10 | 2021-07-30 | Oppo广东移动通信有限公司 | Inter-application communication method, device, terminal and storage medium |
| CN111030984B (en) * | 2019-10-22 | 2022-08-19 | 上海泰宇信息技术股份有限公司 | Data safety transmission system and method |
| CN111064577A (en) * | 2019-12-03 | 2020-04-24 | 支付宝(杭州)信息技术有限公司 | Security authentication method and device and electronic equipment |
| RU2765406C1 (en) * | 2020-05-14 | 2022-01-28 | Акционерное общество "Научно-производственный центр автоматики и приборостроения имени академика Н.А. Пилюгина" (АО "НПЦАП") | Symmetrical data encryption apparatus using a strong authentication algorithm |
| CN114189343A (en) * | 2020-09-14 | 2022-03-15 | 华为技术有限公司 | Mutual authentication method and device |
| CN112153038B (en) * | 2020-09-18 | 2022-06-07 | 山东英信计算机技术有限公司 | Method and device for secure login, authentication terminal and readable storage medium |
| US11843702B2 (en) * | 2020-11-20 | 2023-12-12 | The Toronto-Dominion Bank | System and method for secure distribution of resource transfer request data |
| US20220209965A1 (en) * | 2020-12-30 | 2022-06-30 | Fujitsu Limited | Repudiable credentials |
| US20230078954A1 (en) * | 2021-09-10 | 2023-03-16 | Assa Abloy Ab | Fast bilateral key confirmation |
| CN114301596A (en) * | 2021-11-18 | 2022-04-08 | 成都市卡蛙科技有限公司 | OTA (over the air) secure communication method and device for vehicle intranet, vehicle-mounted system and storage medium |
| CN114024780B (en) * | 2022-01-06 | 2022-03-18 | 北京交研智慧科技有限公司 | Node information processing method and device based on Internet of things equipment |
| CN116055188B (en) * | 2023-01-28 | 2023-07-14 | 紫光同芯微电子有限公司 | Bidirectional authentication method, bidirectional authentication device and bidirectional authentication system for equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6769060B1 (en) * | 2000-10-25 | 2004-07-27 | Ericsson Inc. | Method of bilateral identity authentication |
| US7024690B1 (en) * | 2000-04-28 | 2006-04-04 | 3Com Corporation | Protected mutual authentication over an unsecured wireless communication channel |
Family Cites Families (34)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH10301492A (en) * | 1997-04-23 | 1998-11-13 | Sony Corp | Enciphering device and method therefor, decoding device and method therefor, and information processing device and method therefor |
| US6225888B1 (en) * | 1997-12-08 | 2001-05-01 | Nokia Telecommunications Oy | Authentication between communicating parties in a telecommunications network |
| US6151676A (en) * | 1997-12-24 | 2000-11-21 | Philips Electronics North America Corporation | Administration and utilization of secret fresh random numbers in a networked environment |
| US6754820B1 (en) * | 2001-01-30 | 2004-06-22 | Tecsec, Inc. | Multiple level access system |
| WO2001015380A1 (en) * | 1999-08-20 | 2001-03-01 | Sony Corporation | Information transmission system and method, drive device and access method, information recording medium, device and method for producing recording medium |
| KR100619005B1 (en) * | 1999-11-25 | 2006-08-31 | 삼성전자주식회사 | Authentication method for establishing connection between devices |
| US20020138728A1 (en) * | 2000-03-07 | 2002-09-26 | Alex Parfenov | Method and system for unified login and authentication |
| US6766453B1 (en) * | 2000-04-28 | 2004-07-20 | 3Com Corporation | Authenticated diffie-hellman key agreement protocol where the communicating parties share a secret key with a third party |
| US6920559B1 (en) * | 2000-04-28 | 2005-07-19 | 3Com Corporation | Using a key lease in a secondary authentication protocol after a primary authentication protocol has been performed |
| US7552333B2 (en) * | 2000-08-04 | 2009-06-23 | First Data Corporation | Trusted authentication digital signature (tads) system |
| EP1316168A4 (en) * | 2000-08-04 | 2006-05-10 | First Data Corp | Method and system for using electronic communications for an electronic contact |
| JP4654497B2 (en) * | 2000-08-31 | 2011-03-23 | ソニー株式会社 | Personal authentication system, personal authentication method, information processing apparatus, and program providing medium |
| US9219708B2 (en) * | 2001-03-22 | 2015-12-22 | DialwareInc. | Method and system for remotely authenticating identification devices |
| JP4811840B2 (en) | 2001-03-29 | 2011-11-09 | 株式会社日本総合研究所 | Log collection system, server used for log collection system, and medium recording program for controlling server |
| JP4287097B2 (en) | 2001-07-09 | 2009-07-01 | パナソニック株式会社 | Digital copyright protection system, recording / reproducing apparatus, recording medium apparatus, and model change apparatus |
| TWI308306B (en) * | 2001-07-09 | 2009-04-01 | Matsushita Electric Ind Co Ltd | Digital work protection system, record/playback device, recording medium device, and model change device |
| JP2003124927A (en) | 2001-10-15 | 2003-04-25 | Sony Corp | Mutual authentication system, mutual authentication method, mutual authentication equipment and storage medium |
| US6996715B2 (en) * | 2002-01-03 | 2006-02-07 | Lockheed Martin Corporation | Method for identification of a user's unique identifier without storing the identifier at the identification site |
| JP3791464B2 (en) * | 2002-06-07 | 2006-06-28 | ソニー株式会社 | Access authority management system, relay server and method, and computer program |
| US7171467B2 (en) * | 2002-06-13 | 2007-01-30 | Engedi Technologies, Inc. | Out-of-band remote management station |
| ATE315859T1 (en) * | 2002-09-17 | 2006-02-15 | Errikos Pitsos | METHOD AND DEVICE FOR PROVIDING A LIST OF PUBLIC KEYS IN A PUBLIC KEY SYSTEM |
| JP4504099B2 (en) * | 2003-06-25 | 2010-07-14 | 株式会社リコー | Digital certificate management system, digital certificate management apparatus, digital certificate management method, update procedure determination method and program |
| JP4283699B2 (en) * | 2004-02-13 | 2009-06-24 | 株式会社日立製作所 | Content transfer control device, content distribution device, and content reception device |
| US7694335B1 (en) * | 2004-03-09 | 2010-04-06 | Cisco Technology, Inc. | Server preventing attacks by generating a challenge having a computational request and a secure cookie for processing by a client |
| AU2005223902B2 (en) * | 2004-03-22 | 2008-04-03 | Samsung Electronics Co., Ltd. | Authentication between device and portable storage |
| JP4562464B2 (en) * | 2004-09-07 | 2010-10-13 | 富士通株式会社 | Information processing device |
| JP4793268B2 (en) * | 2004-12-17 | 2011-10-12 | 日本電気株式会社 | Common key block encryption apparatus, common key block encryption method, and common key block encryption program |
| US7606361B2 (en) * | 2005-03-18 | 2009-10-20 | Oracle International Corporation | Sending a message securely over an insecure channel |
| US7631346B2 (en) | 2005-04-01 | 2009-12-08 | International Business Machines Corporation | Method and system for a runtime user account creation operation within a single-sign-on process in a federated computing environment |
| US8028329B2 (en) * | 2005-06-13 | 2011-09-27 | Iamsecureonline, Inc. | Proxy authentication network |
| US7814318B1 (en) * | 2005-09-27 | 2010-10-12 | Oracle America, Inc. | Scalable file system configured to make files permanently unreadable |
| JP4800377B2 (en) * | 2006-02-28 | 2011-10-26 | パナソニック株式会社 | Authentication system, CE device, portable terminal, key certificate issuing authority, and key certificate acquisition method |
| US8892887B2 (en) * | 2006-10-10 | 2014-11-18 | Qualcomm Incorporated | Method and apparatus for mutual authentication |
| JP5132222B2 (en) * | 2007-08-13 | 2013-01-30 | 株式会社東芝 | Client device, server device, and program |
-
2007
- 2007-10-03 US US11/866,946 patent/US8892887B2/en active Active
- 2007-10-05 JP JP2009532508A patent/JP2010506542A/en active Pending
- 2007-10-05 AU AU2007307906A patent/AU2007307906B2/en active Active
- 2007-10-05 CN CN2007800377025A patent/CN101523800B/en active Active
- 2007-10-05 RU RU2009117677A patent/RU2420896C2/en active
- 2007-10-05 BR BRPI0718048-9A patent/BRPI0718048B1/en active IP Right Grant
- 2007-10-05 ES ES07853787.5T patent/ES2662071T3/en active Active
- 2007-10-05 WO PCT/US2007/080525 patent/WO2008045773A2/en active Application Filing
- 2007-10-05 EP EP07853787.5A patent/EP2082525B1/en active Active
- 2007-10-05 MY MYPI20090973A patent/MY162283A/en unknown
- 2007-10-05 CA CA2663644A patent/CA2663644C/en active Active
- 2007-10-05 KR KR1020097009516A patent/KR101284779B1/en active IP Right Grant
- 2007-10-05 MX MX2009003684A patent/MX2009003684A/en active IP Right Grant
- 2007-10-05 HU HUE07853787A patent/HUE036864T2/en unknown
- 2007-10-09 TW TW096137890A patent/TWI368427B/en active
-
2009
- 2009-03-12 IL IL197590A patent/IL197590A/en active IP Right Grant
- 2009-05-07 NO NO20091813A patent/NO342744B1/en unknown
-
2010
- 2010-03-02 HK HK10102203.7A patent/HK1136115A1/en unknown
-
2012
- 2012-08-17 JP JP2012181116A patent/JP2013017197A/en active Pending
-
2014
- 2014-11-14 US US14/541,518 patent/US9112860B2/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7024690B1 (en) * | 2000-04-28 | 2006-04-04 | 3Com Corporation | Protected mutual authentication over an unsecured wireless communication channel |
| US6769060B1 (en) * | 2000-10-25 | 2004-07-27 | Ericsson Inc. | Method of bilateral identity authentication |
Also Published As
| Publication number | Publication date |
|---|---|
| BRPI0718048B1 (en) | 2020-01-07 |
| NO342744B1 (en) | 2018-08-06 |
| IL197590A0 (en) | 2009-12-24 |
| EP2082525A2 (en) | 2009-07-29 |
| CA2663644A1 (en) | 2008-04-17 |
| US9112860B2 (en) | 2015-08-18 |
| HK1136115A1 (en) | 2010-06-18 |
| RU2420896C2 (en) | 2011-06-10 |
| EP2082525B1 (en) | 2018-01-24 |
| KR101284779B1 (en) | 2013-08-23 |
| IL197590A (en) | 2014-04-30 |
| TW200830834A (en) | 2008-07-16 |
| AU2007307906A1 (en) | 2008-04-17 |
| NO20091813L (en) | 2009-05-07 |
| WO2008045773A3 (en) | 2008-06-12 |
| US20150074403A1 (en) | 2015-03-12 |
| RU2009117677A (en) | 2010-11-20 |
| BRPI0718048A2 (en) | 2014-04-29 |
| ES2662071T3 (en) | 2018-04-05 |
| TWI368427B (en) | 2012-07-11 |
| HUE036864T2 (en) | 2018-08-28 |
| KR20090067200A (en) | 2009-06-24 |
| WO2008045773A2 (en) | 2008-04-17 |
| US8892887B2 (en) | 2014-11-18 |
| JP2013017197A (en) | 2013-01-24 |
| US20080155260A1 (en) | 2008-06-26 |
| AU2007307906B2 (en) | 2011-03-24 |
| CN101523800A (en) | 2009-09-02 |
| MY162283A (en) | 2017-05-31 |
| JP2010506542A (en) | 2010-02-25 |
| MX2009003684A (en) | 2009-07-06 |
| CA2663644C (en) | 2014-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101523800B (en) | Method and apparatus for mutual authentication | |
| US11943343B2 (en) | ECDHE key exchange for server authentication and a key server | |
| WO2018045817A1 (en) | Mobile network authentication method, terminal device, server and network authentication entity | |
| EP3073668B1 (en) | Apparatus and method for authenticating network devices | |
| CN111869249A (en) | Safe BLE JUST WORKS pairing method for man-in-the-middle attack | |
| CN104683359A (en) | Safety channel establishment method, and data protection method and safety channel key updating method thereof | |
| KR20130077171A (en) | Authentication method between server and device | |
| Noh et al. | Secure authentication and four-way handshake scheme for protected individual communication in public wi-fi networks | |
| CN112165386A (en) | Data encryption method and system based on ECDSA | |
| CN104243452A (en) | Method and system for cloud computing access control | |
| WO2022135391A1 (en) | Identity authentication method and apparatus, and storage medium, program and program product | |
| WO2022001225A1 (en) | Identity credential application method, identity authentication method, device, and apparatus | |
| WO2020216047A1 (en) | Authentication information processing method, terminal, and network device | |
| US20240064011A1 (en) | Identity authentication method and apparatus, device, chip, storage medium, and program | |
| WO2022178890A1 (en) | Key transmission method and apparatus | |
| Patalbansi | Secure Authentication and Security System for Mobile Devices in Mobile Cloud Computing | |
| KR20180079682A (en) | Method for issuing a certificate | |
| KR100968523B1 (en) | A terminal, method for distributing session key and computer readable record-medium on which program for executing method thereof | |
| Hsieh et al. | An Improved Mutual Authentication Mechanism for Securing Smart Phones | |
| CN116866001A (en) | Method and device for accessing terminal equipment to gateway based on key management system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 1136115 Country of ref document: HK |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: GR Ref document number: 1136115 Country of ref document: HK |